Sign-up

VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201203-0378 CVE-2012-1454 Multiple products ELF Vulnerability in parser that prevents malware detection CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in Dr.Web 5.0.2.03300, eSafe 7.0.17.0, McAfee Gateway (formerly Webwasher) 2010.1C, Rising Antivirus 22.83.00.03, Fortinet Antivirus 4.2.254.0, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an ELF file with a modified ei_version field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Multiple products ELF There are vulnerabilities in parsers that prevent malware detection. Multiple Antivirus products are prone to a vulnerability that may allow an attacker to bypass on-demand scans. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. The following products are affected: eSafe Antivirus 7.0.17.0 McAfee McAfee-GW-Edition 2010.1C Rising Antivirus 22.83.00.03 Panda Antivirus 10.0.2.7
VAR-201203-0381 CVE-2012-1457 Multiple products TAR Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast! Antivirus 4.8.1351.0 and 5.0.677.0, AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Quick Heal (aka Cat QuickHeal) 11.00, ClamAV 0.96.4, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5.1.0.1, eSafe 7.0.17.0, F-Prot Antivirus 4.6.2.117, G Data AntiVirus 21, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, K7 AntiVirus 9.77.3565, Kaspersky Anti-Virus 7.0.0.125, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, Antimalware Engine 1.1.6402.0 in Microsoft Security Essentials 2.0, NOD32 Antivirus 5795, Norman Antivirus 6.06.12, PC Tools AntiVirus 7.0.3.5, Rising Antivirus 22.83.00.03, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Trend Micro AntiVirus 9.120.0.1004, Trend Micro HouseCall 9.120.0.1004, VBA32 3.12.14.2, and VirusBuster 13.6.151.0 allows remote attackers to bypass malware detection via a TAR archive entry with a length field that exceeds the total TAR file size. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations. Multiple products TAR A file parser contains a vulnerability that can prevent malware detection. Different TAR If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.By a third party TAR Total file size exceeded length With field TAR Malware detection can be bypassed via archive entries. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Vulnerabilities exist in the TAR file parser in version 1004, Trend Micro HouseCall version 9.120.0.1004, VBA32 version 3.12.14.2, and VirusBuster version 13.6.151.0. ============================================================================ Ubuntu Security Notice USN-1482-1 June 19, 2012 clamav vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: ClamAV could improperly detect malware if it opened a specially crafted file. Software Description: - clamav: Anti-virus utility for Unix Details: It was discovered that ClamAV incorrectly handled certain malformed TAR archives. (CVE-2012-1457, CVE-2012-1459) It was discovered that ClamAV incorrectly handled certain malformed CHM files. (CVE-2012-1458) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: clamav 0.97.5+dfsg-1ubuntu0.12.04.1 clamav-daemon 0.97.5+dfsg-1ubuntu0.12.04.1 libclamav6 0.97.5+dfsg-1ubuntu0.12.04.1 Ubuntu 11.10: clamav 0.97.5+dfsg-1ubuntu0.11.10.1 clamav-daemon 0.97.5+dfsg-1ubuntu0.11.10.1 libclamav6 0.97.5+dfsg-1ubuntu0.11.10.1 Ubuntu 11.04: clamav 0.97.5+dfsg-1ubuntu0.11.04.1 clamav-daemon 0.97.5+dfsg-1ubuntu0.11.04.1 libclamav6 0.97.5+dfsg-1ubuntu0.11.04.1 Ubuntu 10.04 LTS: clamav 0.96.5+dfsg-1ubuntu1.10.04.4 clamav-daemon 0.96.5+dfsg-1ubuntu1.10.04.4 libclamav6 0.96.5+dfsg-1ubuntu1.10.04.4 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1482-1 CVE-2012-1457, CVE-2012-1458, CVE-2012-1459 Package Information: https://launchpad.net/ubuntu/+source/clamav/0.97.5+dfsg-1ubuntu0.12.04.1 https://launchpad.net/ubuntu/+source/clamav/0.97.5+dfsg-1ubuntu0.11.10.1 https://launchpad.net/ubuntu/+source/clamav/0.97.5+dfsg-1ubuntu0.11.04.1 https://launchpad.net/ubuntu/+source/clamav/0.96.5+dfsg-1ubuntu1.10.04.4 . The Microsoft CHM file parser in ClamAV 0.96.4 allows remote attackers to bypass malware detection via a crafted reset interval in the LZXC header of a CHM file. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459 http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.97.5 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: d82d78601290e2f6073974170c81841a mes5/i586/clamav-0.97.5-0.1mdvmes5.2.i586.rpm 80f0475472c0217afd3727019bf27e53 mes5/i586/clamav-db-0.97.5-0.1mdvmes5.2.i586.rpm c13835eadea8d2af15b628fba3159e8b mes5/i586/clamav-milter-0.97.5-0.1mdvmes5.2.i586.rpm d7c058fae32f1a081b1d4ca31157df0e mes5/i586/clamd-0.97.5-0.1mdvmes5.2.i586.rpm 5ad153709c7eb510c2be2e82bfa5ac52 mes5/i586/libclamav6-0.97.5-0.1mdvmes5.2.i586.rpm 96e3d3f3e9bea802c4109c155c9d1465 mes5/i586/libclamav-devel-0.97.5-0.1mdvmes5.2.i586.rpm 203cde43731b63729d1f7f6497033184 mes5/SRPMS/clamav-0.97.5-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: b30f5aafd9aaff0a7743fb62f33ccbea mes5/x86_64/clamav-0.97.5-0.1mdvmes5.2.x86_64.rpm 1508801239427c0ac72734f52cb4451c mes5/x86_64/clamav-db-0.97.5-0.1mdvmes5.2.x86_64.rpm 92b4c5ca6db656801b5b6ae217c6e171 mes5/x86_64/clamav-milter-0.97.5-0.1mdvmes5.2.x86_64.rpm 94fad12df2cc900309087bbda13c826a mes5/x86_64/clamd-0.97.5-0.1mdvmes5.2.x86_64.rpm 8ec166a457d0512479adaaf5f80d487f mes5/x86_64/lib64clamav6-0.97.5-0.1mdvmes5.2.x86_64.rpm 19bc2758175bcde28ebf7783d68a9b98 mes5/x86_64/lib64clamav-devel-0.97.5-0.1mdvmes5.2.x86_64.rpm 203cde43731b63729d1f7f6497033184 mes5/SRPMS/clamav-0.97.5-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFP3tnKmqjQ0CJFipgRAj4wAJ9eURS1mZYCZhkmUTVE/U8QAH47MwCgxQzf OUr1QL5Wsvt3KboLKCdYUhE= =1QL7 -----END PGP SIGNATURE-----
VAR-201203-0146 CVE-2012-1461 Multiple products Gzip Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5.1.0.1, F-Secure Anti-Virus 9.0.16160.0, Fortinet Antivirus 4.2.254.0, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, K7 AntiVirus 9.77.3565, Kaspersky Anti-Virus 7.0.0.125, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, NOD32 Antivirus 5795, Norman Antivirus 6.06.12, Rising Antivirus 22.83.00.03, Sophos Anti-Virus 4.61.0, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Trend Micro AntiVirus 9.120.0.1004, Trend Micro HouseCall 9.120.0.1004, and VBA32 3.12.14.2 allows remote attackers to bypass malware detection via a .tar.gz file with multiple compressed streams. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different Gzip parser implementations. Multiple products Gzip A file parser contains a vulnerability that can prevent malware detection. Different Gzip If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.Have multiple compressed streams by a third party .tar.gz Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection
VAR-201203-0380 CVE-2012-1456 Multiple products TAR Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The TAR file parser in AVG Anti-Virus 10.0.0.1190, Quick Heal (aka Cat QuickHeal) 11.00, Comodo Antivirus 7424, Emsisoft Anti-Malware 5.1.0.1, eSafe 7.0.17.0, F-Prot Antivirus 4.6.2.117, Fortinet Antivirus 4.2.254.0, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, Kaspersky Anti-Virus 7.0.0.125, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, NOD32 Antivirus 5795, Norman Antivirus 6.06.12, Panda Antivirus 10.0.2.7, Rising Antivirus 22.83.00.03, Sophos Anti-Virus 4.61.0, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Trend Micro AntiVirus 9.120.0.1004, and Trend Micro HouseCall 9.120.0.1004 allows remote attackers to bypass malware detection via a TAR file with an appended ZIP file. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations. Multiple products TAR A file parser contains a vulnerability that can prevent malware detection. Different TAR If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.By a third party ZIP File attached TAR Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. The following products are affected: AVG AVG Anti-Virus 10.0.0.1190 Quick Heal Technologies CAT-QuickHeal 11.00 Comodo AntiVirus 7424 Emsisoft Antivirus 5.1.0.1 eSafe Antivirus 7.0.17.0 Frisk Software F-Prot Antivirus 4.6.2.117 Fortinet Antivirus 4.2.254.0 Ikarus Antivirus T3.1.1.97.0
VAR-201203-0371 CVE-2012-1447 Multiple products ELF Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in Fortinet Antivirus 4.2.254.0, eSafe 7.0.17.0, Dr.Web 5.0.2.03300, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an ELF file with a modified e_version field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. The following products are affected: DrWeb Antivirus 5.0.2.03300 Panda Antivirus 10.0.2.7. Fortinet Antivirus is an antivirus software designed by Fortinet Company using signature database and heuristic scanning engine
VAR-201203-0147 CVE-2012-1462 Multiple products ZIP Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ZIP file parser in AhnLab V3 Internet Security 2011.01.18.00, AVG Anti-Virus 10.0.0.1190, Quick Heal (aka Cat QuickHeal) 11.00, Emsisoft Anti-Malware 5.1.0.1, eSafe 7.0.17.0, Fortinet Antivirus 4.2.254.0, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, Kaspersky Anti-Virus 7.0.0.125, Norman Antivirus 6.06.12, Sophos Anti-Virus 4.61.0, and AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11 allows remote attackers to bypass malware detection via a ZIP file containing an invalid block of data at the beginning. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ZIP parser implementations. Multiple products ZIP A file parser contains a vulnerability that can prevent malware detection. Different ZIP Parser If it is announced that there is also a problem with the implementation of CVE May be split.A third party includes an invalid block of data at the beginning ZIP Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection
VAR-201203-0370 CVE-2012-1446 Multiple products ELF Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in Quick Heal (aka Cat QuickHeal) 11.00, McAfee Anti-Virus Scanning Engine 5.400.0.1158, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Norman Antivirus 6.06.12, eSafe 7.0.17.0, Kaspersky Anti-Virus 7.0.0.125, McAfee Gateway (formerly Webwasher) 2010.1C, Sophos Anti-Virus 4.61.0, CA eTrust Vet Antivirus 36.1.8511, Antiy Labs AVL SDK 2.0.3.7, PC Tools AntiVirus 7.0.3.5, Rising Antivirus 22.83.00.03, Fortinet Antivirus 4.2.254.0, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an ELF file with a modified encoding field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Multiple products ELF A file parser contains a vulnerability that can prevent malware detection. Different ELF If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.Changed by a third party encoding With field ELF Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03 CVE no - CVE-2012-1420 3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Affected products - BitDefender 7.2, Comodo 7424, eSafe 7.0.17.0, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1430 13. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. Affected products - McAfee 5.0.02.03300, eSafe 7.0.17.0, McAfee-GW-Edition 2010.1C, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1454 37. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0402 CVE-2012-1442 Multiple products ELF Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in Quick Heal (aka Cat QuickHeal) 11.00, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, eSafe 7.0.17.0, Kaspersky Anti-Virus 7.0.0.125, F-Secure Anti-Virus 9.0.16160.0, Sophos Anti-Virus 4.61.0, Antiy Labs AVL SDK 2.0.3.7, Rising Antivirus 22.83.00.03, Fortinet Antivirus 4.2.254.0, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an ELF file with a modified class field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Multiple products ELF A file parser contains a vulnerability that can prevent malware detection. Different ELF If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.Changed by a third party class With field ELF Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03 CVE no - CVE-2012-1420 3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0389 CVE-2012-1429 Multiple products ELF Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in Bitdefender 7.2, Comodo Antivirus 7424, Emsisoft Anti-Malware 5.1.0.1, eSafe 7.0.17.0, F-Secure Anti-Virus 9.0.16160.0, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, and nProtect Anti-Virus 2011-01-17.01 allows remote attackers to bypass malware detection via an ELF file with a ustar character sequence at a certain location. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Multiple products ELF A file parser contains a vulnerability that can prevent malware detection. Different ELF If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.A specific position by a third party ustar With the character sequence ELF Malware detection may be avoided via files. Multiple Antivirus products are prone prone to a vulnerability that may allow an attacker to bypass on-demand scans. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. The following products are affected: BitDefender AntiVirus 7.2 Comodo AntiVirus 7424 Emsisoft Antivirus 5.1.0.1 eSafe Antivirus 7.0.17.0 Ikarus Antivirus T3.1.1.97.0 McAfee McAfee 5.400.0.1158 McAfee McAfee-GW-Edition 2010.1C INCA nProtect 2011-01-17.01. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03 CVE no - CVE-2012-1420 3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, eSafe 7.0.017.0, Kaspersky 7.0.0.125, F-Secure 9.0.16160.0, Sophos 4.61.0, Antiy-AVL 2.0.3.7, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1442 25. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, Symantec 20101.3.0.103, Norman 6.06.12, eSafe 7.0.017.0, Kaspersky 7.0.0.125, McAfee-GW-Edition 2010.1C, Sophos 4.61.0, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, PCTools 7.0.3.5, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1446 29. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. Affected products - McAfee 5.0.2.03300, TrendMicro-HouseCall 9.120.0.1004, Kaspersky 7.0.0.125, Sophos 4.61.0, TrendMicro 9.120.0.1004, McAfee-GW-Edition 2010.1C, Emsisoft 5.1.0.1, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, Microsoft 1.6402, Rising 22.83.00.03, Ikarus T3.1.1.97.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1453 36. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. Affected products - McAfee 5.0.02.03300, eSafe 7.0.17.0, McAfee-GW-Edition 2010.1C, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1454 37. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AhnLab-V3 2011.01.18.00, AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Comodo 7424, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7, PCTools 7.0.3.5, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1459 42. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0385 CVE-2012-1425 Multiple products TAR Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, Quick Heal (aka Cat QuickHeal) 11.00, Emsisoft Anti-Malware 5.1.0.1, Fortinet Antivirus 4.2.254.0, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, Kaspersky Anti-Virus 7.0.0.125, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, NOD32 Antivirus 5795, Norman Antivirus 6.06.12, PC Tools AntiVirus 7.0.3.5, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Trend Micro AntiVirus 9.120.0.1004, and Trend Micro HouseCall 9.120.0.1004 allows remote attackers to bypass malware detection via a POSIX TAR file with an initial \50\4B\03\04 character sequence. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations. Multiple products TAR A file parser contains a vulnerability that can prevent malware detection. Different TAR If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.By a third party \50\4B\03\04 Has a character sequence starting with POSIX TAR Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. The following products are affected: AVIRA AntiVir Engine 7.11.1.163 Antiy Antiy-AVL 2.0.3.7 Quick Heal Technologies CAT-QuickHeal 11.00 Emsisoft Antivirus 5.1.0.1 Ikarus Antivirus T3.1.1.97.0 Jiangmin 13.0.900 Kaspersky Antivirus 7.0.0.125 McAfee 5.400.0.1158 McAfee-GW-Edition 2010.1C NOD32 5795 Norman Antivirus 6.06.12 PCTools Antivirus 7.0.3.5 Symantec AntiVirus 20101.3.0.103 TrendMicro 9.120.0.1004 TrendMicro-HouseCall 9.120.0.1004. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03 CVE no - CVE-2012-1420 3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Affected products - BitDefender 7.2, Comodo 7424, eSafe 7.0.17.0, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1430 13. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, eSafe 7.0.017.0, Kaspersky 7.0.0.125, F-Secure 9.0.16160.0, Sophos 4.61.0, Antiy-AVL 2.0.3.7, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1442 25. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. Affected products - McAfee 5.0.2.03300, TrendMicro-HouseCall 9.120.0.1004, Kaspersky 7.0.0.125, Sophos 4.61.0, TrendMicro 9.120.0.1004, McAfee-GW-Edition 2010.1C, Emsisoft 5.1.0.1, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, Microsoft 1.6402, Rising 22.83.00.03, Ikarus T3.1.1.97.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1453 36. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. Affected products - McAfee 5.0.02.03300, eSafe 7.0.17.0, McAfee-GW-Edition 2010.1C, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1454 37. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. Affected products - AVG 10.0.0.1190, CAT-QuickHeal 11.00, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117,Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1456 39. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AhnLab-V3 2011.01.18.00, AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Comodo 7424, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7, PCTools 7.0.3.5, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1459 42. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0390 CVE-2012-1430 Multiple products ELF Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in Bitdefender 7.2, Comodo Antivirus 7424, eSafe 7.0.17.0, F-Secure Anti-Virus 9.0.16160.0, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, nProtect Anti-Virus 2011-01-17.01, Sophos Anti-Virus 4.61.0, and Rising Antivirus 22.83.00.03 allows remote attackers to bypass malware detection via an ELF file with a \19\04\00\10 character sequence at a certain location. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Multiple products ELF A file parser contains a vulnerability that can prevent malware detection. Different ELF If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.A specific position by a third party \19\04\00\10 With the character sequence ELF Malware detection may be avoided via files. Multiple Antivirus products are prone prone to a vulnerability that may allow an attacker to bypass on-demand scans. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03 CVE no - CVE-2012-1420 3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0391 CVE-2012-1431 Multiple products ELF Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in Bitdefender 7.2, Command Antivirus 5.2.11.5, Comodo Antivirus 7424, eSafe 7.0.17.0, F-Prot Antivirus 4.6.2.117, F-Secure Anti-Virus 9.0.16160.0, McAfee Gateway (formerly Webwasher) 2010.1C, nProtect Anti-Virus 2011-01-17.01, Sophos Anti-Virus 4.61.0, and Rising Antivirus 22.83.00.03 allows remote attackers to bypass malware detection via an ELF file with a \4a\46\49\46 character sequence at a certain location. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Multiple products ELF A file parser contains a vulnerability that can prevent malware detection. Different ELF If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.A specific position by a third party \4a\46\49\46 With the character sequence ELF Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03 CVE no - CVE-2012-1420 3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, Fortinet 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1425 8. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, eSafe 7.0.017.0, Kaspersky 7.0.0.125, F-Secure 9.0.16160.0, Sophos 4.61.0, Antiy-AVL 2.0.3.7, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1442 25. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, Symantec 20101.3.0.103, Norman 6.06.12, eSafe 7.0.017.0, Kaspersky 7.0.0.125, McAfee-GW-Edition 2010.1C, Sophos 4.61.0, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, PCTools 7.0.3.5, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1446 29. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. Affected products - McAfee 5.0.2.03300, TrendMicro-HouseCall 9.120.0.1004, Kaspersky 7.0.0.125, Sophos 4.61.0, TrendMicro 9.120.0.1004, McAfee-GW-Edition 2010.1C, Emsisoft 5.1.0.1, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, Microsoft 1.6402, Rising 22.83.00.03, Ikarus T3.1.1.97.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1453 36. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. Affected products - McAfee 5.0.02.03300, eSafe 7.0.17.0, McAfee-GW-Edition 2010.1C, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1454 37. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0367 CVE-2012-1443 Multiple products RAR Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The RAR file parser in ClamAV 0.96.4, Rising Antivirus 22.83.00.03, Quick Heal (aka Cat QuickHeal) 11.00, G Data AntiVirus 21, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Command Antivirus 5.2.11.5, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, Emsisoft Anti-Malware 5.1.0.1, PC Tools AntiVirus 7.0.3.5, F-Prot Antivirus 4.6.2.117, VirusBuster 13.6.151.0, Fortinet Antivirus 4.2.254.0, Antiy Labs AVL SDK 2.0.3.7, K7 AntiVirus 9.77.3565, Trend Micro HouseCall 9.120.0.1004, Kaspersky Anti-Virus 7.0.0.125, Jiangmin Antivirus 13.0.900, Antimalware Engine 1.1.6402.0 in Microsoft Security Essentials 2.0, Sophos Anti-Virus 4.61.0, NOD32 Antivirus 5795, Avira AntiVir 7.11.1.163, Norman Antivirus 6.06.12, McAfee Anti-Virus Scanning Engine 5.400.0.1158, Panda Antivirus 10.0.2.7, McAfee Gateway (formerly Webwasher) 2010.1C, Trend Micro AntiVirus 9.120.0.1004, Comodo Antivirus 7424, Bitdefender 7.2, eSafe 7.0.17.0, F-Secure Anti-Virus 9.0.16160.0, nProtect Anti-Virus 2011-01-17.01, AhnLab V3 Internet Security 2011.01.18.00, AVG Anti-Virus 10.0.0.1190, avast! Antivirus 4.8.1351.0 and 5.0.677.0, and VBA32 3.12.14.2 allows user-assisted remote attackers to bypass malware detection via a RAR file with an initial MZ character sequence. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different RAR parser implementations. Multiple products RAR A file parser contains a vulnerability that can prevent malware detection. Different RAR If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.By the attacker, MZ Has a character sequence starting with RAR Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Sophos Anti-Virus is a set of anti-virus software for various operating systems from Sophos, UK. The software detects and removes viruses, spyware, trojans and worms in real time, ensuring comprehensive network protection for desktops and laptops. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03 CVE no - CVE-2012-1420 3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, Fortinet 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1425 8. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Affected products - BitDefender 7.2, Comodo 7424, eSafe 7.0.17.0, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1430 13. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, eSafe 7.0.017.0, Kaspersky 7.0.0.125, F-Secure 9.0.16160.0, Sophos 4.61.0, Antiy-AVL 2.0.3.7, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1442 25. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, Symantec 20101.3.0.103, Norman 6.06.12, eSafe 7.0.017.0, Kaspersky 7.0.0.125, McAfee-GW-Edition 2010.1C, Sophos 4.61.0, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, PCTools 7.0.3.5, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1446 29. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. Affected products - McAfee 5.0.2.03300, TrendMicro-HouseCall 9.120.0.1004, Kaspersky 7.0.0.125, Sophos 4.61.0, TrendMicro 9.120.0.1004, McAfee-GW-Edition 2010.1C, Emsisoft 5.1.0.1, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, Microsoft 1.6402, Rising 22.83.00.03, Ikarus T3.1.1.97.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1453 36. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. Affected products - McAfee 5.0.02.03300, eSafe 7.0.17.0, McAfee-GW-Edition 2010.1C, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1454 37. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. Affected products - AVG 10.0.0.1190, CAT-QuickHeal 11.00, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117,Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1456 39. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0399 CVE-2012-1439 Multiple products ELF Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in eSafe 7.0.17.0, Rising Antivirus 22.83.00.03, Fortinet Antivirus 4.2.254.0, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an ELF file with a modified padding field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. The following products are affected: eSafe Antivirus 7.0.17.0 Rising Antivirus 22.83.00.03 Panda Antivirus 10.0.2.7. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, Fortinet 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1425 8. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AhnLab-V3 2011.01.18.00, AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Comodo 7424, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7, PCTools 7.0.3.5, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1459 42. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0400 CVE-2012-1440 Multiple products ELF Vulnerability to bypass malware detection in file parser CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in Norman Antivirus 6.06.12, eSafe 7.0.17.0, CA eTrust Vet Antivirus 36.1.8511, Fortinet Antivirus 4.2.254.0, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an ELF file with a modified identsize field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. CVE May be split intoChanged by a third party identsize Have fields ELF Via files, malware detection can be bypassed. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Affected products - BitDefender 7.2, Comodo 7424, eSafe 7.0.17.0, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1430 13. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, eSafe 7.0.017.0, Kaspersky 7.0.0.125, F-Secure 9.0.16160.0, Sophos 4.61.0, Antiy-AVL 2.0.3.7, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1442 25. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. Affected products - McAfee 5.0.2.03300, TrendMicro-HouseCall 9.120.0.1004, Kaspersky 7.0.0.125, Sophos 4.61.0, TrendMicro 9.120.0.1004, McAfee-GW-Edition 2010.1C, Emsisoft 5.1.0.1, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, Microsoft 1.6402, Rising 22.83.00.03, Ikarus T3.1.1.97.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1453 36. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. Affected products - McAfee 5.0.02.03300, eSafe 7.0.17.0, McAfee-GW-Edition 2010.1C, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1454 37. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AhnLab-V3 2011.01.18.00, AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Comodo 7424, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7, PCTools 7.0.3.5, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1459 42. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0383 CVE-2012-1423 Multiple products TAR Vulnerability to bypass malware detection in file parser CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The TAR file parser in Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5.1.0.1, F-Prot Antivirus 4.6.2.117, Fortinet Antivirus 4.2.254.0, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, K7 AntiVirus 9.77.3565, NOD32 Antivirus 5795, Norman Antivirus 6.06.12, PC Tools AntiVirus 7.0.3.5, Rising Antivirus 22.83.00.03, and VirusBuster 13.6.151.0 allows remote attackers to bypass malware detection via a POSIX TAR file with an initial MZ character sequence. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations. Multiple products TAR The file parser contains a vulnerability that can bypass malware detection. CVE May be split intoBy a third party, MZ Has a character sequence that starts with POSIX TAR Via files, malware detection can be bypassed. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0368 CVE-2012-1444 Multiple products ELF Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in eSafe 7.0.17.0, Prevx 3.0, Fortinet Antivirus 4.2.254.0, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an ELF file with a modified abiversion field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. The following products are affected: Fortinent Fortinent Antivirus 4.2.254.0 Prevx Prevx 3.0 eSafe Antivirus 7.0.017 0 Panda Antivirus 10.0.2.7. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Affected products - BitDefender 7.2, Comodo 7424, eSafe 7.0.17.0, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1430 13. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. Affected products - AVG 10.0.0.1190, CAT-QuickHeal 11.00, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117,Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1456 39. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AhnLab-V3 2011.01.18.00, AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Comodo 7424, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7, PCTools 7.0.3.5, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1459 42. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0369 CVE-2012-1445 Multiple products ELF Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The ELF file parser in eSafe 7.0.17.0, Rising Antivirus 22.83.00.03, Fortinet Antivirus 4.2.254.0, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an ELF file with a modified abi field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. The following products are affected: Fortinent Fortinent Antivirus 4.2.254.0 Rising Antivirus 22.83.00.03 eSafe Antivirus 7.0.017 0 Panda Antivirus 10.0.2.7. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, Fortinet 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1425 8. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AhnLab-V3 2011.01.18.00, AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Comodo 7424, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7, PCTools 7.0.3.5, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1459 42. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0364 CVE-2012-1420 Multiple products TAR Vulnerability that prevents file parsers from detecting malware CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The TAR file parser in Quick Heal (aka Cat QuickHeal) 11.00, Command Antivirus 5.2.11.5, F-Prot Antivirus 4.6.2.117, Fortinet Antivirus 4.2.254.0, K7 AntiVirus 9.77.3565, Kaspersky Anti-Virus 7.0.0.125, Antimalware Engine 1.1.6402.0 in Microsoft Security Essentials 2.0, NOD32 Antivirus 5795, Norman Antivirus 6.06.12, Panda Antivirus 10.0.2.7, and Rising Antivirus 22.83.00.03 allows remote attackers to bypass malware detection via a POSIX TAR file with an initial \7fELF character sequence. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations. Multiple products TAR A file parser contains a vulnerability that can prevent malware detection. Different TAR If it is announced that there is also a problem with the parser implementation, this vulnerability can be CVE May be split.By a third party \7fELF ( backslash 7fELF) Has a character sequence starting with POSIX TAR Malware detection may be avoided via files. Successful exploits will allow attackers to bypass on-demand virus scanning, possibly allowing malicious files to escape detection. Multiple file-parsing vulnerabilities leading to evasion in different antivirus(AV) products. All affected products are command-line versions of the AVs. ---------------------------- Vulnerability Descriptions ---------------------------- 1. Specially crafted infected POSIX TAR files with "[aliases]" as first 9 bytes evades detection. Affected products - ClamAV 0.96.4, CAT-QuickHeal 11.00 CVE no - CVE-2012-1419 2. Specially crafted infected POSIX TAR files with "\7fELF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, Fortinent 4.2.254.0, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03 CVE no - CVE-2012-1420 3. Specially crafted infected POSIX TAR files with "MSCF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Rising 22.83.00.03, Symantec 20101.3.0.103 CVE no - CVE-2012-1421 4. Specially crafted infected POSIX TAR files with "ITSF" as first 4 bytes evades detection. Affected products - CAT-QuickHeal 11.00, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1422 5. Specially crafted infected POSIX TAR files with "MZ" as first 2 bytes evades detection. Affected products - Command 5.2.11.5, Emsisoft 5.1.0.1, F-Prot 4.6.2.117, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, K7AntiVirus 9.77.3565, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, VirusBuster 13.6.151.0 CVE no - CVE-2012-1423 6. Specially crafted infected POSIX TAR files with "\19\04\00\10" at offset 8 evades detection. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Jiangmin 13.0.900, Norman 6.06.12, PCTools 7.0.3.5, Sophos 4.61.0 CVE no - CVE-2012-1424 7. Specially crafted infected POSIX TAR files with "\50\4B\03\04" as the first 4 bytes evades detection. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, Fortinet 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1425 8. Specially crafted infected POSIX TAR files with "\42\5A\68" as the first 3 bytes evades detection. Affected products - CAT-QuickHeal 11.00, Command 5.2.11.5, F-Prot 4.6.2.117, K7AntiVirus 9.77.3565, Norman 6.06.12, Rising 22.83.00.03 CVE no - CVE-2012-1426 9. Specially crafted infected POSIX TAR files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1427 10. Specially crafted infected POSIX TAR files with "\4a\46\49\46" at offset 6 evades detection. Affected products - CAT-QuickHeal 11.00, Norman 6.06.12, Sophos 4.61.0 CVE no - CVE-2012-1428 11. Specially crafted infected ELF files with "ustar" at offset 257 evades detection. Affected products - BitDefender 7.2, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Secure 9.0.16160.0, Ikarus T3.1.1.97.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01 CVE no - CVE-2012-1429 12. Specially crafted infected ELF files with "\19\04\00\10" at offset 8 evades detection. Affected products - BitDefender 7.2, Comodo 7424, eSafe 7.0.17.0, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1430 13. Specially crafted infected ELF files with "\4a\46\49\46" at offset 6 evades detection. Affected products - BitDefender 7.2, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee-GW-Edition 2010.1C, nProtect 2011-01-17.01, Sophos 4.61.0, Rising 22.83.00.03 CVE no - CVE-2012-1431 14. Specially crafted infected MS EXE files with "\57\69\6E\5A\69\70" at offset 29 evades detection. Affected products - Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1432 15. Specially crafted infected MS EXE files with "\4a\46\49\46" at offset 6 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1433 16. Specially crafted infected MS EXE files with "\19\04\00\10" at offset 8 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1434 17. Specially crafted infected MS EXE files with "\50\4B\4C\49\54\45" at offset 30 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1435 18. Specially crafted infected MS EXE files with "\2D\6C\68" at offset 2 evades detection. Affected products - AhnLab-V3 2011.01.18.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Ikarus T3.1.1.97.0, Panda 10.0.2.7 CVE no - CVE-2012-1436 19. Specially crafted infected MS Office files with "\50\4B\53\70\58" at offset 526 evades detection. Affected products - Comodo 7425 CVE no - CVE-2012-1437 20. Specially crafted infected MS Office files with "ustar" at offset 257 evades detection. Affected products - Comodo 7425, Sophos 4.61.0 CVE no - CVE-2012-1438 21. 'padding' field in ELF files is parsed incorrectly. If an infected ELF file's padding field is incremented by 1 it evades detection. Affected products - eSafe 7.0.17.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1439 22. 'identsize' field in ELF files is parsed incorrectly. If an infected ELF file's identsize field is incremented by 1 it evades detection. Affected products - Norman 6.06.12, eSafe 7.0.17.0, eTrust-Vet 36.1.8511, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1440 23. 'e_ip' and 'e_res' field in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - Prevx 3.0 'e_minalloc', 'e_res2','e_cparhdr', 'e_crlc', 'e_lfarlc','e_maxalloc', 'e_oeminfo', 'e_ovno', 'e_cs', 'e_csum','e_sp', 'e_ss', 'e_cblp' and 'e_oemid' fields in MS EXE files are parsed incorrectly. If any of these fields in an infected MS EXE file is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0 CVE no - CVE-2012-1441 24. 'class' field in ELF files is parsed incorrectly. If an infected ELF file's class field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, eSafe 7.0.017.0, Kaspersky 7.0.0.125, F-Secure 9.0.16160.0, Sophos 4.61.0, Antiy-AVL 2.0.3.7, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1442 25. Infected RAR files with initial two bytes set to 'MZ' can be fixed by the user and correctly extracted. Such a file evades detection. Affected products - ClamAV 0.96.4, Rising 22.83.00.03, CAT-QuickHeal 11.00, GData 21, Symantec 20101.3.0.103, Command 5.2.11.5, Ikarus T3.1.1.97.0, Emsisoft 5.1.0.1, PCTools 7.0.3.5, F-Prot 4.6.2.117, VirusBuster 13.6.151.0, Fortinent 4.2.254.0, Antiy-AVL 2.0.3.7, K7AntiVirus 9.77.3565, TrendMicro-HouseCall 9.120.0.1004,Kaspersky 7.0.0.125 Jiangmin 13.0.900. Microsoft 1.6402, Sophos 4.61.0, NOD32 5795, AntiVir 7.11.1.163, Norman 6.06.12, McAfee 5.400.0.1158, Panda 10.0.2.7, McAfee-GW-Edition 2010.1C, TrendMicro 9.120.0.1004, Comodo 7424, BitDefender 7.2, eSafe 7.0.17.0, F-Secure 9.0.16160.0 nProtect 2011-01-17.01, AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, Avast 4.8.1351.0, Avast5 5.0.677.0, VBA32 3.12.14.2 CVE no - CVE-2012-1443 26. 'abiversion' field in ELF files is parsed incorrectly. If an infected ELF file's abiversion field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Prevx 3.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1444 27. 'abi' field in ELF files is parsed incorrectly. If an infected ELF file's abi field is incremented by 1 it evades detection. Affected products - eSafe 7.0.017.0, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1445 28. 'encoding' field in ELF files is parsed incorrectly. If an infected ELF file's encoding field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, McAfee 5.400.0.1158, Symantec 20101.3.0.103, Norman 6.06.12, eSafe 7.0.017.0, Kaspersky 7.0.0.125, McAfee-GW-Edition 2010.1C, Sophos 4.61.0, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, PCTools 7.0.3.5, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1446 29. 'e_version' field in ELF files is parsed incorrectly. If an infected ELF file's e_version field is incremented by 1 it evades detection. Affected products - Fortinet 4.2.254.0, eSafe 7.0.017.0, DrWeb 5.0.2.03300, Panda 10.0.2.7 CVE no - CVE-2012-1447 30. 'cbCabinet' field in CAB files is parsed incorrectly. If an infected CAB file's cbCabinet field is incremented by 1 it evades detection. Affected products - CAT-QuickHeal 11.00, TrendMicro 9.120.0.1004, Ikarus T3.1.1.97.0 TrendMicro-HouseCall 9.120.0.1004, Emsisoft 5.1.0.1 CVE no - CVE-2012-1448 31. 'vMajor' field in CAB files is parsed incorrectly. If an infected CAB file's vMajor field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1449 32. 'reserved3' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Sophos 4.61.0, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1450 33. 'reserved2' field in CAB files is parsed incorrectly. If an infected CAB file's reserved2 field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0 CVE no - CVE-2012-1451 34. 'reserved1' field in CAB files is parsed incorrectly. If an infected CAB file's reserved field is incremented by 1 it evades detection. Affected products - Emsisoft 5.1.0.1, Ikarus T3.1.1.97.0, CAT-QuickHeal 11.00 CVE no - CVE-2012-1452 35. 'coffFiles' field in CAB files is parsed incorrectly. If an infected CAB file's coffFiles field is incremented by 1 it evades detection. Affected products - McAfee 5.0.2.03300, TrendMicro-HouseCall 9.120.0.1004, Kaspersky 7.0.0.125, Sophos 4.61.0, TrendMicro 9.120.0.1004, McAfee-GW-Edition 2010.1C, Emsisoft 5.1.0.1, eTrust-Vet 36.1.8511, Antiy-AVL 2.0.3.7, Microsoft 1.6402, Rising 22.83.00.03, Ikarus T3.1.1.97.0, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1453 36. 'ei_version' field in ELF files is parsed incorrectly. If an infected ELF file's version field is incremented by 1 it evades detection. Affected products - McAfee 5.0.02.03300, eSafe 7.0.17.0, McAfee-GW-Edition 2010.1C, Rising 22.83.00.03, Fortinet 4.2.254.0, Panda 10.0.2.7 CVE no - CVE-2012-1454 37. 'vMinor' field in CAB files is parsed incorrectly. If an infected CAB file's version field is incremented by 1 it evades detection. Affected products - NOD32 5795, Rising 22.83.00.03 CVE no - CVE-2012-1455 38. A specially crafted ZIP file, created by concatenating the contents of a clean TAR archive and a virus-infected ZIP archive, is parsed incorrectly and evades detection. Affected products - AVG 10.0.0.1190, CAT-QuickHeal 11.00, Comodo 7424, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117,Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Panda 10.0.2.7, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004 CVE no - CVE-2012-1456 39. If the length field in the header of a file with test EICAR virus included into a TAR archive is set to be greater than the archive's total length (1,000,000+original length in our experiments), the antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. Affected products - AntiVir 7.11.1.163, Antiy-AVL 2.0.3.7, Avast 4.8.1351.0, Avast5 5.0.677.0, AVG 10.0.0.1190, BitDefender 7.2, CAT-QuickHeal 11.00, ClamAV 0.96.4, Command 5.2.11.5, Emsisoft 5.1.0.1, eSafe 7.0.17.0, F-Prot 4.6.2.117, GData 21, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, Microsoft 1.6402, NOD32 5795, Norman 6.06.12, PCTools 7.0.3.5, Rising 22.83.00.03, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2, VirusBuster 13.6.151.0 CVE no - CVE-2012-1457 40. A Windows Compiled HTML Help (CHM) file is a set of HTML files, scripts, and images compressed using the LZX algorithm. For faster random accesses, the algorithm is reset at intervals instead of compressing the entire file as a single stream. The length of each interval is specified in the LZXC header. If an infected CHM file's header modified so that the reset interval is lower than in the original file, the antivirus declares the file to be clean. But the Windows CHM viewer hh.exe correctly decompresses the infected content located before the tampered header. Affected products - ClamAV 0.96.4, Sophos 4.61.0 CVE no - CVE-2012-1458 41. In a POSIX TAR archive, each member file has a 512-byte header protected by a simple checksum. Every header also contains a file length field, which is used by the extractor to locate the next header in the archive. If a TAR archive contains two files: the first one is clean, while the second is infected with test EICAR virus - and it is modified such that the length field in the header of the first, clean file to point into the middle of the header of the second, infected file. The antivirus declares the file to be clean but virus gets extracted correctly by the GNU tar program. If an infected tar.gz archive is appended 6 random bytes at the end, the antivirus declares the file to be clean but virus gets extracted by the gunzip+tar programs correctly by ignoring these bytes. Affected products - Antiy-AVL 2.0.3.7, CAT-QuickHeal 11.00, Command 5.2.11.5, eSafe 7.0.17.0, F-Prot 4.6.2.117, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, VBA32 3.12.14.2 CVE no - CVE-2012-1460 43. GZIP files can contain multiple compressed streams, which are assembled when the contents are extracted. If an infected .tar.gz file is broken into two streams, the antivirus declares the infected .tar.gz file to be clean while tar+gunzip extract the virus correctly Affected products - AVG 10.0.0.1190, BitDefender 7.2, Command 5.2.11.5, Emsisoft 5.1.0.1, F-Secure 9.0.16160.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, K7AntiVirus 9.77.3565, Kaspersky 7.0.0.125, McAfee 5.400.0.1158, McAfee-GW-Edition 2010.1C, NOD32 5795, Norman 6.06.12, Rising 22.83.00.03, Sophos 4.61.0, Symantec 20101.3.0.103, TrendMicro 9.120.0.1004, TrendMicro-HouseCall 9.120.0.1004, VBA32 3.12.14.2 CVE no - CVE-2012-1461 44. If an infected ZIP archive is prepended with 1024 random bytes at the beginning, the antivirus declares the file to be clean but virus gets extracted by the unzip program correctly by skipping these bytes Affected products - AhnLab-V3 2011.01.18.00, AVG 10.0.0.1190, CAT-QuickHeal 11.00, Emsisoft 5.1.0.1, eSafe 7.0.17.0, Fortinent 4.2.254.0, Ikarus T3.1.1.97.0, Jiangmin 13.0.900, Kaspersky 7.0.0.125, Norman 6.06.12, Sophos 4.61.0, Symantec 20101.3.0.103 CVE no - CVE-2012-1462 45. In most ELF files, the 5th byte of the header indicates endianness: 01 for little-endian, 02 for bigendian. Linux kernel, however, does not check this field before loading an ELF file. If an infected ELF file's 5-th byte is set to 02, the antivirus declares the file to be clean but the ELF file gets executed correctly. Affected products - AhnLab-V3 2011.01.18.00, BitDefender 7.2, CAT-QuickHeal 11.00, Command 5.2.11.5, Comodo 7424, eSafe 7.0.17.0, F-Prot 4.6.2.117, F-Secure 9.0.16160.0, McAfee 5.400.0.1158, Norman 6.06.12, nProtect 2011-01-17.01, Panda 10.0.2.7 CVE no - CVE-2012-1463 -------- Credits -------- Vulnerabilities found and advisory written by Suman Jana and Vitaly Shmatikov. ----------- References ----------- "Abusing File Processing in Malware Detectors for Fun and Profit" by Suman Jana and Vitaly Shmatikov To appear in IEEE Symposium on Security and Privacy 2012 http://www.ieee-security.org/TC/SP2012/
VAR-201203-0519 No CVE JP1/Cm2/Network Node Manager i Denial of Service (DoS) Vulnerability CVSS V2: 7.5
CVSS V3: -
Severity: High
JP1/Cm2/Network Node Manager i (NNMi) contains vulnerabilities could allow a remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. A remote attacker could cause a denial of service (DoS) condition or execute arbitrary code.